if the run time of a search exceeds the boundaries of outlier defined by the fitted density function model, false positives can occur, incorrectly labeling a long running search as potentially risky.

Techniques

T1059

Sample rules

Splunk Command and Scripting Interpreter Risky SPL MLTK

source: splunk
technicques:
- T1059

Description

This detection utilizes machine learning model named “risky_command_abuse” trained from “Splunk Command and Scripting Interpreter Risky SPL MLTK Baseline”. It should be scheduled to run hourly to detect whether a user has run searches containing risky SPL from this list https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Commands_that_trigger_the_warninga with abnormally long running time in the past one hour, comparing with his/her past seven days history. This search uses the trained baseline to infer whether a search is an outlier (isOutlier ~= 1.0) or not (isOutlier~= 0.0)

Detection logic


| tstats sum(Search_Activity.total_run_time) AS run_time, values(Search_Activity.search) as searches, count FROM datamodel=Splunk_Audit.Search_Activity WHERE (Search_Activity.user!="") AND (Search_Activity.total_run_time>1) AND (earliest=-1h@h latest=now) AND (Search_Activity.search IN ("*
| runshellscript *", "*
| collect *","*
| delete *", "*
| fit *", "*
| outputcsv *", "*
| outputlookup *", "*
| run *", "*
| script *", "*
| sendalert *", "*
| sendemail *", "*
| tscolle*")) AND (Search_Activity.search_type=adhoc) AND (Search_Activity.user!=splunk-system-user) BY _time, Search_Activity.user span=1h 
| apply risky_command_abuse 
| fields _time, Search_Activity.user, searches, run_time, IsOutlier(run_time) 
| rename IsOutlier(run_time) as isOutlier, _time as timestamp 
| where isOutlier>0.5 
| `splunk_command_and_scripting_interpreter_risky_spl_mltk_filter`